FreeBSD Mail Archives

Date:      Wed, 19 Feb 2003 21:18:13 -0800
From:      Lars Eggert <larse@ISI.EDU>
To:        George Hartzell <hartzell@kestrel.alerce.com>
Cc:        freebsd-questions@freebsd.org, freebsd-mobile@freebsd.org
Subject:   Re: FreeBSD 4.7-REL-p3 and an IPsec connection to Linksys BEFVP41
Message-ID:  <3E546515.4000703@isi.edu>
In-Reply-To: <15956.23535.146549.735318@rosebud.alerce.com>
References:  <15956.23535.146549.735318@rosebud.alerce.com>


[-- Attachment #1 --]
On 2/19/2003 8:39 PM, George Hartzell wrote:
> I'd like to set up an IPsec connection between my laptop running
> FreeBSD 4.7-REL-p3 and a Linksys BEFVP41 router w/ built in IPsec
> capability.
> 
> I've found a number of sites w/ information on setting up ipsec
> between a pair of FreeBSD machines, including:
> 
>   http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html
>   http://www.freebsddiary.org/ipsec-tunnel.php
>   http://www.daemonnews.org/200101/ipsec-howto.html
>   http://www.bsdtoday.com/2002/April/Features671.html
> 
> But none that talk about getting FreeBSD's IPsec talking to anything
> non-FreeBSD.
> 
> All of the methods are based on setting up a gif tunnel and passing
> the packets over that.

Not really. There are a number of different ways to set this up, and 
only one (valid) one uses gif tunnels:

1. Use IPsec transport mode. The handbook (1st link) explains how to set 
this up.

2. Use IPsec tunnel mode. Again, the handbook describes the setup, so 
does the bsdtoday article.

(Note that these two do not use IPIP gif tunnels!)

3. Use an IPIP gif tunnel and IPsec transport mode, as described in 
draft-touch-ipsec-vpn, and the daemonnews article. This is an 
alternative to IPsec tunnel mode that has advantages when running 
dynamic routing - you don't seem to, so you should stick to vanilla 
IPsec, esp. since you only control one end.

You do NOT want to follow the freebsddiary article, which sets up 
parallel IPIP gif tunnels and IPsec tunnel mode SAs. It abuses the 
duplicate tunnels for routing, and can result in subtle interactions 
that can make your traffic go silently unencrypted. (I've contacted the 
author a long time ago, but he doesn't seem to belive in fixing "diary" 
entries.)

 > I've tried a number of variations on the
> recommended recipes, and at best I can watch the isakmp packet going
> from the laptop towards the router and get see an icmp packet back
> from the router that suggests the the gif tunnel isn't what it wants
> to see (sadly, I didn't save the exact message, but can recreate it if
> it's important enough).

Without a lot more information about your configuration, we can only 
guess at the issues.

> So, the quick question is, has anyone set up a FreeBSD laptop as a
> "road warrior" to an IPsec router?  I'd appreciate any pointers.

All three aproaches above can be made to work, as explained by the 
tutorials you cite. The question is, which one is supported by your 
Linksys box?

Lars
-- 
Lars Eggert <larse@isi.edu>           USC Information Sciences Institute

[-- Attachment #2 --]
0�	*�H��
��0�10	+0�	*�H��
��	�0�80���fEr��t��cvE��.�0
	*�H��
0��10	UZA10UWestern Cape10U	Cape Town10U
Thawte Consulting1(0&UCertification Services Division1$0"UThawte Personal Freemail CA1+0)	*�H��
	personal-freemail@thawte.com0
000830000000Z
040827235959Z0��10	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.300��0
	*�H��
��0�����32�c�	%E>�nx'g��ڈ���D)�c5*mp<�ܮ��to0�3��4q��m���O�e�
�K���a����U�5��u�'��r���װ�����|CBPQ��<�9��T������If-	��k�i�N0L0)U"0 �010UPrivateLabel1-2970U�0�0U0
	*�H��
��1�KG]�q��Sl]y�=��&b�"��"��I�'{9����$����
*8�PU�l�
�L����G�l�X�1B	l�i�+�@]j�y��.%݊���
��Z��<�D�&i�H�Υ����bb��0�90���%A0
	*�H��
0��10	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.300
020824185339Z
030824185339Z0T10
UEggert1
0U*Lars10ULars Eggert10	*�H��
	
larse@isi.edu0�"0
	*�H��
�0�
��6F�x����ΰ7��a��ED��&0��+Dj�)ֽ�X��CUc��n�lei��jm�z~S�����0�J�j�W�V�~	1^����({�I�ݛL�j��Ӗ
a�����o:bP�}W���L��V�ܱ��욗cD��ɖ_��K�v.�����A(���W4���9�;�Z�8�-��uXE
6�b
@_0%�#d�`�����R�to5 L0���R`w��@7
�r	�H�����c�c�����	�U�3�%7N_o�V0T0*+e!000L2uMyffBNUbNJJcdZ2s0U0�
larse@isi.edu0U�00
	*�H��
��]�Ȕ��,�����fK<�������cj���R�Z�eL�an�@���Z6,��=
�fK�?y�O#��8��+�	����Ni�*LS��f���pQ��g<�(aӒ��$�k���Tx�_AL��1>ގ|S�0�90���%A0
	*�H��
0��10	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.300
020824185339Z
030824185339Z0T10
UEggert1
0U*Lars10ULars Eggert10	*�H��
	
larse@isi.edu0�"0
	*�H��
�0�
��6F�x����ΰ7��a��ED��&0��+Dj�)ֽ�X��CUc��n�lei��jm�z~S�����0�J�j�W�V�~	1^����({�I�ݛL�j��Ӗ
a�����o:bP�}W���L��V�ܱ��욗cD��ɖ_��K�v.�����A(���W4���9�;�Z�8�-��uXE
6�b
@_0%�#d�`�����R�to5 L0���R`w��@7
�r	�H�����c�c�����	�U�3�%7N_o�V0T0*+e!000L2uMyffBNUbNJJcdZ2s0U0�
larse@isi.edu0U�00
	*�H��
��]�Ȕ��,�����fK<�������cj���R�Z�eL�an�@���Z6,��=
�fK�?y�O#��8��+�	����Ni�*LS��f���pQ��g<�(aӒ��$�k���Tx�_AL��1>ގ|S�1��0��0��0��10	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.30%A0	+��0	*�H��
	1	*�H��
0	*�H��
	1
030220051813Z0#	*�H��
	1��.$O���Mu^;#�d�	0R	*�H��
	1E0C0
*�H��
0*�H��
�0
*�H��
@0+0
*�H��
(0��	+�71��0��0��10	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.30%A0��*�H��
	1�����0��10	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.30%A0
	*�H��
�X����	;d������5�T�Y1o�a�@V�����R|8����|�̰0�����x�oW��7Q��釛������6Y%�L�|�P�L�C��u�Wr'2~�X��:"���?E&��B�l���HԢ<�q܊����kپx��(<�]�H�{���y�=]@�NqH����T�!�I��#�Բ��xk��˥�0v9��عrI��F��d�1�i_Dy��o-��{S1N��xyi��~�Z{�G�p�:��!�

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3E546515.4000703>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation